Splunk® Enterprise

Search Reference

Acrobat logo Download manual as PDF


Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

mvcombine

Description

Takes a group of events that are identical except for the specified field, which contains a single value, and combines those events into a single event. The specified field becomes a multivalue field that contains all of the single values from the combined events.

There are situations where the mvjoin eval function is a better option than the mvcombine command. See Usage.

Syntax

mvcombine [delim=<string>] <field>

Required arguments

field
Syntax: <field>
Description: The name of a field to merge on, generating a multivalue field.

Optional arguments

delim
Syntax: delim=<string>
Description: Defines the string to use to generate the combined-string form of the combined single value field. For example, if the values of your field are "1", "2", and "3", and delim is ", " then your combined single value field would be "1, 2, 3".
Default: a single space, (" ")

Usage

You can use evaluation functions and statistical functions on multivalue fields or to return multivalue fields.

The mvcombine command accepts a set of input results and finds groups of results where all field values are identical, except the specified field. All of these results are merged into a single result, where the specified field is now a multivalue field.

Because raw events have many fields that vary, this command is most typically useful after paring down the set of available fields with the fields command. The command is also useful for manipulating the results of certain reporting commands.

Specifying delimiters

The mvcombine command creates a multivalue version of the field you specify, as well as a single value version of the field. The multivalue version is displayed be default.

The single value version of the field is a flat string that is separated by a space or by the delimiter that you specify with the delim argument.

By default the multvalue version of the field is displayed in the results. To display the single value version with the delimiters add the |nomv command to the end of your search. For example ...| mvcombine delim "," host | nomv host.

Some forms modes of investigating the search results prefer this single value representation, such as exporting to CSV in the UI, or running a command line search with splunk search "..." -output csv. Some commands that are not multivalue aware might use this single value as well.

Most ways of accessing the search results prefer the multivalue representation, such as viewing the results in the UI, or exporting to JSON, requesting JSON from the command line search with splunk search "..." -output json or requesting JSON or XML from the REST API. For these forms of, the selected delim has no effect.

Using mvjoin instead of mvcombine

If the field is a multivalue field and you want a single valued field with a different delimiter, use the mvjoin evaluation function. For example, a multivalue field contains the values "1","2","3","4","5". You want a single valued field with OR as the delimiter, such as "1 OR 2 OR 3 OR 4 OR 5". Use the mvjoin function and not the mvcombine command. See Multivalue Eval Functions.

Examples

1. Creating a multivalue field

This example uses the sample dataset from the Search Tutorial. To try this example yourself, download the data set from Get the tutorial data into Splunk and follow the instructions in the Search Tutorial to upload the data.

To understand how mvcombine works, let's explore the data.

  1. Set the time range to All time.
  2. Run the following search.

    index=* | stats max(bytes) AS max, min(bytes) AS min BY host

    The results show that the max and min fields have duplicate entries for the hosts that start with www. The other hosts show no results for the max and min fields.

    7.0.0 Searchref mvcombine ex1-compressor.png

  3. To remove the other hosts from your results, modify the search to add host=www* to the search criteria.

    index=* host=www* | stats max(bytes) AS max, min(bytes) AS min BY host

    Because the values in the max and min columns contain the exact same values, you can use the mvcombine to combine the host values into a multivalue result.

  4. Add | mvcombine host to your search and run the search again.

    index=* host=www* | stats max(bytes) AS max, min(bytes) AS min BY host | mvcombine host

    Instead of three rows, one row is returned. The host field is now a multvalue field.

    7.0.0 Searchref mvcombine ex1-2-compressor.png

2. Returning the delimited values

As mentioned in the Usage section, by default the delimited version of the results are not returned in the output. To return the results with the delimiters, you must return the single value string version of the field.

Add the nomv command to your search. For example:

index=* host=www* | stats max(bytes) AS max, min(bytes) AS min BY host | mvcombine delim="," host | nomv host


7.0.0 Searchref mvcombine ex2-compressor.png

To return the results with a space after each comma, specify delim=", ".

Example 3:

In multivalue events:

sourcetype="WMI:WinEventLog:Security" | fields EventCode, Category,RecordNumber | mvcombine delim="," RecordNumber | nomv RecordNumber

Example 4:

Combine the values of "foo" with a colon delimiter.

... | mvcombine delim=":" foo

See also

Commands:
makemv
mvexpand
nomv

Functions:
Multivalue eval functions
Multivalue stats and chart functions
split

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the mvcombine command.

Last modified on 21 November, 2018
PREVIOUS
multisearch 		  NEXT
mvexpand

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters